What is Formjacking?

The Emerging Threat of Formjacking: Understanding the Malicious Code Stealing Your Sensitive Information Online

As consumers have become smarter regarding password management and phishing scams, the criminal playbook has evolved to include new software hacks to steal personal information. One such scam is formjacking, a new form of digital information theft.
Formjacking Definition
Formjacking Definition: A formjacking attack typically follows the approach of a man-in-the-middle attack, albeit online, and is focused on webpage online forms. The formjacking technique involves injecting malicious code, with the intention of hacking a website, hijacking the functionality of its online forms, and collecting sensitive user details.
What is Formjacking?
What is formjacking and where does it occur? Formjacking is a relatively new hacking method, mainly used to exploit and steal sensitive information from commercial websites. Cyber criminals have adjusted credit card skimming techniques in order to hijack virtual forms implemented on websites, in what is now known as ‘formjacking attacks’.

Formjacking attacks occur when criminals use viruses to insert formjacking code into a commercial website. A site infected with formjacking code can then capture a user’s data when they submit an online order form, and transmit the information to the hacker. Criminals will typically target sites that collect personal, private information, including banking and e-commerce sites, ultimately hoping for a big payday scoop.

A formjacking website is able to carry out criminal activity without disrupting a legitimate user transaction, thereby making it effective as it can evade detection. As online form webpages will often include login credentials, names, addresses, phone numbers, and credit card information, once the threat actor has accessed the page, they can sell the exfiltrated data on the dark web or use it to breach other networks. Victims will be unaware of what has happened, and it is doubtful they will realize that they need formjacking protection; unfortunately, they may only be alerted to what has happened depending on what data has been stolen or used.

For example, many attacks are aimed at payment gateways in order to steal bank details or credit card information. In this instance, a bank may contact the victim regarding suspicious activity on their account. However, in other scenarios, a victim may not know that their personal details have been compromised.

The success of these attacks can be attributed to the unprotected weak points of online retailers and e-commerce sites. In this instance, the supply chains are the weakest link. Many formjacking attacks tend to be the result of attackers compromising third-party services commonly used by online retailers, such as customer review widgets or chatbots.
Formjacking Examples
Notoriously successful formjacking examples that have occurred in recent years include:
British Airways Formjacking Attack
In 2018, the cyber criminal hacking gang known as Magecart enacted a formjacking attack by using malicious code to steal data that British Airways customers entered into a payment form, and sent it to an attacker-controlled server. British Airways confirmed that the compromised data included customer payment card expiration dates and Card Verification Value (CVV) codes.

The attack wasn't elaborate, but it was effective, as the cyber attackers tailored the malicious code to specific scripting and data flow weaknesses of the British Airways site, affecting roughly 380,000 customer transactions made between August 21 and September 5 of that year.
Ticketmaster Formjacking Attack
Magecart was also behind the 2018 Ticketmaster formjacking attack, using a supply chain attack technique. Magecart attackers first targeted Ticketmaster’s chatbot service provider. After compromising the chatbot, attackers altered the JavaScript code on the Ticketmaster payment page, in order to carry out the functions of a ‘credit card skimmer’ or keylogger. In this way, data submitted to the Ticketmaster website was also sent to a drop server managed by the attackers, who could then use it to steal personal data and customer information.
Average Length of Formjacking Attack
If you discover a formjacking attack, it is important to investigate how long this attack has been going on. While the average length of formjacking attacks differs depending on scale, Infosec researchers can check any periodic backups to find when the malicious code first appeared. For online business owners, if you have a general idea of the time scale involved in the attack, you can cross-reference the dates with your online website orders to discover if customer data has been compromised. For example, British Airways calculated that the 2018 formjacking attack was carried out over 15 days.


It is advisable to warn customers how and if any details have been leaked, and also include details of the steps taken to remediate the vulnerability and how you will attempt to prevent this kind of attack from happening again.

How to Prevent Formjacking

In order to learn how to prevent formjacking attacks, it’s important to stay vigilant at all times:

* Keep on top of your credit card score. A significant drop can indicate criminal activity.
* Check credit card statements and make sure you recognize every transaction.
* As formjacking code can be added to existing website scripts via even the smallest of weak points in the underlying software, these tiny vulnerabilities can quickly turn into giant exposures. Keep software regularly updated, including any extensions, and employ patches if necessary.
* Most web browsers offer a way to track the data coming in and out of a website, so it may be possible to detect a formjacking attack by identifying any unknown web addresses appearing in network logs for your website.
* Machine learning solutions are particularly useful in preventing formjacking. By leveraging AI to monitor behavioral patterns, user behavior, and traffic, anomalies can be identified that may indicate data being sent to unknown servers, and aid in formjacking prevention.

What To Do If You Think You’ve Been The Victim of a Formjacking Attack

If you suspect a formjacking attack may have occurred:

* Check bank and credit card statements for unauthorized or unfamiliar purchases that may indicate a scam.
* Cancel the affected debit or credit cards, and alert your bank that fraud has occurred.
* Monitor your credit scores, so you will be aware if a new card has been opened using your personal information.
* Contact the administrator of the suspected disrupted website, so that they know to find and remove the malicious code, and patch the vulnerability to prevent further attacks.
* Pre-empt formjacking attacks and other cyber attacks by investing in full cybersecurity protection services such as ReasonLabs’ EDR.

Formjacking FAQs